How Decryption Without Password Works
When you import an encrypted backup file or tape media to the backup server, you need to enter a password to decrypt data. In some cases, however, a password can be lost or forgotten. Veeam Backup & Replication offers a way to restore data from encrypted backups or tapes even if a password is not available.
You can restore of data from encrypted backups or tapes without a password only if your backup infrastructure meets the following conditions:
- You use Veeam Universal License (for a legacy socket-based license, Enterprise or higher edition).
- The backup servers on which you encrypted data is added to Veeam Backup Enterprise Manager.
- The backup server on which you generate a request for data decryption is added to Veeam Backup Enterprise Manager.
If the backup server on which you encrypt data is added to Veeam Backup Enterprise Manager, Veeam Backup & Replication employs the public Enterprise Manager key in the encryption process. To decrypt backups or tapes encrypted with the public Enterprise Manager key, you can apply a matching private Enterprise Manager key, instead of a password. The private Enterprise Manager key unlocks the underlying storage keys and lets you access the content of an encrypted file.
The restore process is accomplished with the help of two wizards that run on two servers:
- The Encryption Key Restore wizard on the backup server.
- The Password Recovery wizard on the Veeam Backup Enterprise Manager server.
The restore process includes the next steps:
- You start the Encryption Key Restore wizard on the backup server to issue a request for data recovery.
- The Encryption Key Restore wizard generates a request to Veeam Backup Enterprise Manager. The request has the format of a text document and contains cryptograms of storage keys that must be decrypted, together with information about the public Enterprise Manager key that was used to encrypt data. At the end of the request, the backup server adds a signature encrypted with a private backup server key.
- You send the request to the Veeam Backup Enterprise Manager Administrator, for example, using email.
- The Veeam Backup Enterprise Manager Administrator starts the Password Recovery wizard on Veeam Backup Enterprise Manager and inserts the text of the request to the wizard.
- Veeam Backup Enterprise Manager finds a matching public backup server key in Veeam Backup Enterprise Manager configuration database and decrypts the signature with this key.
- Veeam Backup Enterprise Manager decrypts storage keys with the private Enterprise Manager key available on Veeam Backup Enterprise Manager, and generates a response in the Password Recovery wizard. The response has the format of a text document and contains decrypted storage keys.
- The Veeam Backup Enterprise Manager Administrator sends the response to you, for example, using email.
- You input the request to the Encryption Key Restore wizard. Veeam Backup & Replication processes the response, retrieves the decrypted storage keys and uses them to unlock encrypted backups or tapes and retrieve their content.
You can recover data only if Veeam Backup Enterprise Manager has a private Enterprise Manager key matching the public Enterprise Manager key that was used for data encryption. If a matching private Enterprise Manager key is not found in the Veeam Backup Enterprise Manager configuration database, the Password Recovery wizard will fail. In such situation, you can import a necessary private Enterprise Manager key via the import procedure. For more information, see Exporting and Importing Enterprise Manager Keys in Veeam Backup Enterprise Manager User Guide.